Hi, DEF CON. Thank you. I'm Nikhil Mittal. I'm from India. And I'll be talking about
Power Pitta post exploitation like a boss. So how many of you are penetration testers?
You surely do post exploitation? Yes or no? Yeah. So we'll have a look at something which
could be used to enhance your post exploitation experience. Sounds like a vendor term, but
yes. And let's have fun. So something about me. I'm a hacker who go by the handle Samrat
Ashok. This is my Twitter handle. And you can find my blog posts on Twitter and Facebook.
I'm creator of Kautilya and Nishang. Kautilya is a tool kit which could be used to use human
interface devices like TNC and others in a penetration test or whatever way you want to be.
Nishang is a post exploitation framework in PowerShell. Power Pitta is going to be a part
of this framework. You can find both of them on my blog. So I'm going to show you how to
use these on Google code. Links are on my blog. I'm interested in offensive information
security, methodology to upon systems, getting into systems. I'm a freelance penetration
tester. Just read it twice. And I've spoken at a couple of conferences before this. And this is
my first time at DEF CON. Thank you. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Thank you. So what would we be looking at. What is the need
for post exploitation? What is PowerShell in a couple of slides. Why do we need PowerShell.
And then we will look at architecture, usage, payloads and much more details. Then there's a
web shell which I call C sharp.net and power shell. And the limitations and conclusions. So
what is post exploitation? For me it is the most important part of a penetration test. As a
freelance penetration tester I know that someone who is going to pay me doesn't understand what
a shell is. But I got access to your D.C. Yeah, that's okay. Even I have access to my D.C.
So that's kind of response you get in a meeting with the client with those guys who want to
pay you. So we need some ways to show actual data or things like if it's a pharma company, the
complaints, the customers have made against them, or if it's, you know, if it's a
supply chain management company, then the profit they take at every step of the supply chain,
things like that. So this differentiates a good penetration tester with something which I've
written, et cetera. So what is power shell? It's a shell and a scripting language which is
present, I think, post Vista. It is present by default on all Windows systems. It is
an automation framework designed to help system admins and, of course, penetration testers who
know how to use it to their profit. It is based on .NET framework and is tightly integrated with
Windows. Yes, it's by default on Windows. So why power shell? Anybody here uses power shell
for their penetration testing things? Wow. Nice. Any one of you use Nishan by any chance?
Just out of curiosity, anybody here uses Cordelia or knows what is it already? Okay. Thank you.
So, yes, why power shell? It's easy to learn and powerful. It's easy to learn and powerful.
The help system is quite good. You can read help out every command or commands or whatever it is
in it. We're not going into details of that. And one thing which I have come through during my
penetration tests is that it is trusted by system administrators, countermeasures, et cetera. No
one actually cares about power shell. There are a lot more things to have a look at. It's a lot of
work. You can consider it a bash of Windows. Many things like commands like LS, CAT, et
cetera, the very common ones are used as aliases in power shell. So it would be comfortable
using it. And this means less dependence on any library which converts your code to
executable, let's say, Python to EXCOs, things like that. And somewhat, you know, it's a lot of
to some level less dependence on MSF, too. MSF is very good. I mean, it is nowhere near
Metaprter from where it borrows its name. But AV vendors are all around MSF. So it's good if
sometimes you have something in your tool chest other than MSF which can help you in achieving
things in a similar way. Power Printer. Yeah, it's a post-exploitation tool. It's a very
good post-exploitation tool written in power shell. It's a module. How many power shell
programmers or guys use power shell other than penetration testing for anything? Same guys.
Okay. It's a module or a script. It depends on the usage. So how Power Printer is designed is
if you rename a file to PS1 which is the default extension for power shell scripts, it could be
used as a power shell script and if you rename it as PSM1, then it's a power shell module.
Payloads and features are all divided into different functions. Each function represents a
different functionality. So if you have some, some, some power, you can use that as a power
code which you want to include with power beta so that it's helper functionalities could be
used. For example, persistence, pivoting, et cetera. Then you can just write a new function,
copy it into your PowerShell module and you are good to go. So how to use PowerShell? So
since we are talking about post exploitation, we will assume that we have access to a
machine, rather we have administrative access to a machine and we will try to make our way to
other machines on the network, back door that machine or pull data out of that machine. More
effectively that could be done using non-PowerShell methods or at least in a more stealthy
way. And yes, the third thing, it could also be used with a meter beta shell. You can use
the ‑‑ and one thing, if you are using it from meter beta shell, you won't be able to get an
interactive PowerShell prompt from meter beta. It's the way PowerShell handles output
redirection. And other than from meter beta, if you have any custom shell code, which gives you
ability to execute code on a machine, you can always use PowerShell and hence power beta.
So there are many payloads that can be used with power beta. There are many payloads that can be
used with power beta. We will have a look at it. That would be the most lengthy part of this
talk. Most of the time will be in the demonstrations. So these are the capabilities of
power beta. Using WMI permanent event consumers, I will decide into the machine. It won't be
start a script or something like that, service failure or schedule task. It won't be anything of
these. It would be ‑‑ we will use WMI permanent event consumers. That's it. That's it I can
explain right now. We will have a look at it. We will use built‑in PowerShell remoting to
pivot to other machines. There are two ways possible. Either we will just run commands noninteractively.
Or we will interactively run commands or scripts or whatever on a remote machine. We have a
simple function called enable duplicate token. Written by a friend, Nicholas. Which is nothing
great. But if you are an admin on machine, you can get system level access and do stuff like
jumping hashes or LSS secrets, et cetera. Then there are helper functionalities. So you can
use simple ones like converting executables to unicode encoded text or basic encoding for
exfiltration, et cetera. So these are some helper functionalities. Deployment. We can deploy
PowerShell from a PowerShell session, from a PowerShell remoting session. We can use meter beta.
What else we can use? We can use PS exec, obviously, because that allows us to execute commands on a
remote machine.
We need a volunteer from the audience, first time DEF CON person. Your hand shot up.
Yeah, yeah, yeah, everybody else is like, damn it!
All right.
To our new speaker and our new attendee.
BUSY AFTERNOON.
NO FOLLOWING US.
WE KNOW YOU'RE OUT THERE.
OKAY.
SO.
POWER PITOT COULD BE DEPLOYED USING
DRIVE BY DOWNLOADS WILL USE HTML APPLICATION WHICH WILL
EXECUTE VB CODE WHICH IN TURN WOULD DOWNLOAD POWER PITOT
FROM A SERVER AND EXECUTE IT.
AND WE CAN ALSO USE HUMAN INTERFACE DEVICE BECAUSE I LOVE
TO INSERT HID THING INTO EVERYTHING.
SO SELECT SOME COUPLE OF FUNCTIONALITIES AND RUN IT FROM
YOUR HID DEVICE.
FROM YOUR HID DEVICE.
SORRY.
SO LET'S GET DOWN WITH DEMOS.
SO LET'S ASSUME.
DO YOU WANT ME TO ASSUME THAT I HAVE CLEAR TEXT PASSWORDS OF
THE REMOTE MACHINE OR DO I HAVE THE HASHES OF THE REMOTE
MACHINE?
OKAY.
SO THIS IS AN ATTACKER MACHINE AND WE'LL USE WCE TO PASS THE
HASHES.
SO LET ME BOOT THE TARGET FIRST.
INCREASE YOUR PHONE SIZE.
IN YOUR TERMINAL.
PLEASE.
WHAT?
THE PHONE SIZE?
YES.
MUSIC.
SO WHAT WE'LL DO, WE'LL USE THESE HASHES WITH WCE AND ON OUR
VICTIM WE'LL GET THE INFORMATION WE NEED PROJECT.
will have administrative access. So because it's a post‑exploitation thing, please don't
shoot me. So we'll have a remote session which is partial remoting a built‑in feature of
PowerShell which is enabled by default post‑server 2012. So we'll have a remoting session on
the victim machine. There we'll download the power pitter module, import it and we'll have
fun. So ‑‑ okay. So we have hashes with us.
Okay.
Ouch.
So let's ‑‑ okay. This enter PS session, command let opens PS session with this remote
computer name which is called.
It means stand‑alone. It's not part of any domain.
Let me try with credentials then.
Maybe I have ‑‑
Hold the hashes with me.
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Thank you.
Thank you.
Okay, I think that was an issue with the ‑‑ because my attacker machine had PowerShell
version 3, and the victim is PowerShell version 2. So maybe because of that, otherwise I just
tested before the talk. Okay, so the rules are reversed. So my VM machine is now attacker.
Okay.
Okay.
So let's ‑‑ okay, I am ‑‑ now if I import the module, because ‑‑ sorry.
Okay.
Okay, so the module is already there. Either we can download it using this one liner, which
is this. But I'm not going to do that because I've already wasted a couple of minutes. So,
I've renamed it. Okay.
I've named it to update.psm1 because I was testing some things. So let's
import this. Now we have some functions imported into this current PowerShell session. For
example, let's see. Won't be beautiful. But let's see what is ‑‑ some juicy or basic
information about the client. Okay.
Okay. Isn't it looking beautiful? But as you can see we have ‑‑ we have
logged in ‑‑ profiles of logged in users. PowerShell environment. Put the trusted hosts.
Put the saved sessions. Recently used commands. Are there any issues on the machine? No.
Environment variables. Some details about the current user. No SNMP. Installed applications.
Installed applications for current user. Domain name, no, it's a standalone system.
Contents of ETC host, running services, local users, local groups, WLAN info. This is the
thing which messes it all. Et cetera.
So this gives us a basic idea about the target system.
Now let's have a look at the basic things like get the WLAN keys. So one thing I would
like you to note is, for example, when I say get WLAN, this is an independent script. So
this is not because of PowerPretet, it's in the system.
Let's get out of this folder. Okay. So this get WLAN keys function shows us the keys in plain
text of all the Wi‑Fi, WLAN system, WLAN profiles receiving data. This is a well‑planned
setting on that system or which it has connected to in the past. No, that's my home Wi‑Fi.
Okay. Just to make things faster, I made a list of what I want to demonstrate. Okay.
WLAN keys are done. Key logger I'm not showing. It takes time. Okay. We already had hashes. We
assume that we had hashes. But suppose you got access to this system from a remote shell. You
don't have access to the password hashes. Then let's use this. Will you get hashes? No, we
won't. Because we need system privileges to execute this thing. So for that we have a helper
function called enable duplicate token. This duplicate token is going to be used to
create a system token from LCS service and assigns it to the current partial thread. So we
run both of these in tandem. And here we do have the hashes of the system.
Okay. But these are hashes. What they are doing is they are running a system token from a
remote shell. So what if you want LCS secrets from the machine? Let's try it out. Okay. But
this is a 64‑bit system, a new victim. So for that I need to execute ‑‑ okay.
Is it the correct path? Wow, 64‑bit. It's just fine. Okay. So let's try it out. Okay.
Thank you.
This is 32‑bit partial because LCS secrets are stored in the 32‑bit registry. And here we
have two ‑‑
32 bit power shell, call enable duplicate and call get LSA. So that works. Let's see.
Thank you.
Okay. So we will input
it.
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Okay. So we have the LSA secrets of this machine.
As you can see, this is, again, my password.
.
Okay. Now, let me try again to get back to the older victim, because for a couple of these things, I have MS SQL Server running on the older victim.
Or rather, let's use it on the same machine.
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Let's do it on ourselves.
Okay. This bound to be successful because you are running in the same machine.
We'll leave it for now.
Let's execute some MS SQL commands.
.
machine with user name this and password this. So it asks whether you want to run a
PowerShell shell or a skill shell or command shell. Let's select PowerShell. So now we have a
PowerShell shell on this machine. So let's check what's the version. It's version 2. And we
can do much stuff.
So there are already many built‑in commandlets in PowerShell which could be very useful in a
penetration test. For example, get process, etc. We do have a basic port scanner, too.
But let's leave it. Okay. We do have execute shell code, but let's leave it, too. I want to
show you one more thing which was not present in the slides on the DVD. That's why. Let's have a
look at pivoting.
Where will we pivot to? Meanwhile, it's getting up. Let's have a look at a video.
Okay. I'm on a remote machine. Zoom out. As you can see, I'm on a remote machine.
I think I'll open it in VNC. No, it's not playing it. Okay. I'll try to ‑‑ so we are on a
remote machine.
And here I just imported the module. And this is a back door called wait for command. Which
waits ‑‑ which pulls URL for commands. And only when ‑‑ those who can't see, I'm
sorry. So we have this check URL as this space win. And as the payload, you can see the
URL. We'll use this space win URL. You can use any service, any website, any web app you want.
Okay. We have the check URL, the payload URL, the magic string. The magic string, the
payload will check if the magic string provided to the payload matches this one. Only then the
payload will execute. It says start one, two, three. And the stop string is stop. And the stop string is stop.
Whenever stop comes in place of the start one, two, three, the back door will stop.
Okay. We just downloaded the power printer and got hashes of the system. As you can see, the payload was this.
And now we change the payload to maybe get process. And meanwhile, we just keep on
in the background, the back door, it's waiting for either the stop string or next command.
Till the time stop is not found on the check URL, it will keep looking for new commands or
new payloads on the payload URL part. And the time it takes, one minute, it takes 60
seconds to execute commands in between. So that it doesn't create too much noise or too much
traffic to get caught easily. So after waiting for one minute.
Okay. So I'm running out of time. So it will show the process and then I'll change it to
stop and it will stop.
Let's leave the pivot thing for a while. I'll blog about it. Okay. Let's see the
IP of this victim. Okay. Assume you have file upload or somehow you can upload files to ASP.NET
machine or server. So you can use this. This may come handy. So what is it? 146. Okay. So
let's see what it does.
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sharp.net, as I said, it is what I call it. The UI is designed to look like actual PowerShell
prompt. You have the ability to download and upload files. You can execute scripts using the
encode and execute button. And if the remoting is enabled, you can also run commands on
remote machines using this web shell. So before the demo, meet Yamraj. What's this? Wife of
Yamraj. Is it visible? Better now? Let's have a quick look at it. If you type help, it will
show you how you can execute commands and this on the victim using this. The best thing
in this is encode and execute this option. You can actually copy a fairly large PowerShell
script in this command console. When you click it, it uses compressed post script by
Carlos Perez. It compresses the script and uses PowerShell encoded command to execute the script.
execute it on the victim. It won't have a look at it. It will take time. Let's see whether
we are really able to do something. Yes. Some basic commands. Yes. Users. What else?
Any command you want me to run here? Anything. And one thing is if you want to download or
upload any file, the help clearly says you have to physically type here, for example, if you
want to upload a file to the current directory, you have to put the full name here. And
that's it. Browse for it. Sorry. Browse for it. Select it and upload it. That's a little
bit inconvenient, but it's for the purpose of maintaining the feel of a proper PowerShell
prompt. Okay. Limitations. You have to understand that if you want to do something, you have to
run it. You have to run it. I have been using this for past six months. Many of the payloads
are already part of Nishan. So some of them have undergone some testing. Others have not. So
bugs will keep coming. I think tool improves with time. And one aspect is key logger does
not work from the PowerShell demoting session. I don't know why. It's maybe because of the
run space restrictions with the PowerShell demoting session. I don't know why. I don't know
why. I'm unaware of any key logger in PowerShell which runs from a PowerShell demoting session.
Yes, back dose can be detected with careful traffic analysis because it's a fixed time
interval in which it pulls the source. It depends upon PowerShell demoting. To conclude with,
PowerShell gives you much control over a Windows machine or a Windows network. And Power Printer
utilizes this thing in an attempt to easy this most important phase of a penetration test.
Obviously there are other ways to do the same thing. PowerShell just makes it or tries to make
it easier. I would like to thank, give shout and give credit to all these guys who are friends
and fellow PowerShell hackers. So I would request applause for these guys.
And I would like to thank my friend, Arthur, who helped me getting here. And there's another
interesting PowerShell talk tomorrow by Joe. Please make sure you attend it. Thank you. Any
questions, insults, feedbacks, you're welcome. Thank you.
Thank you very much.
